Take note that these machines also have old apps installed on them that are vulnerable. I also didn't include the AV's and firewall configurations and other things because they need to be changed according to what you are planning to do.

If you want to add Android to your lab, I might suggest you look into android-x86. That might not fit all your development and reversing need, as it's not built on native arm, but for other things it will work just fine.

Otherwise, I'd suggest you get a live device (broken screen or earphone, old phone, cheap used, anything that goes for around 50eur) and use vnc / ssh / adb to control it and do whatever you want from your linux or win pc. This is because sometimes you need a real device to get your things working correctly.

Even though I love virtual machines, I find it would be much safer (for forensic purposes) to use everything on a usb. I would also have a couple monitors on a desk and a couple different wireless cards to do testing.

Keep it simple and practical. I'm on this at ~6 years and i tell you my opinion, it's just an opinion. You has 2 modes of hacking ...Local or Remote.

For LOCAL you must know who vulnerability discovery+exploitation work, my best results have been made using SET (Social Engineering Toolkit -Kali) with the option ''infectious media generator'' and with ''QRcode'' i've printed the QRcode and made a flyer on the shopping with 'promotion at cinema' so i can get someone to scan it.

For REMOTE you must desautenticate from your home router and have a device connected to it (your target). So you must bypass the router auth and then vulnerability assesment again.

THAT'S ALL YOU NEED, don't wast PC resources with a lot of things, your time still be more valuable than your PC, remember it.